The server and data centre versions of Atlassian’s Bitbucket software have a critical command injection vulnerability.
Part of the company’s DevOps offering, Bitbucket is a Git-based code hosting service integrated with Jira.
There are free and commercial plans, and Bitbucket supports an unlimited number of private repositories.
According to Atlassian, the bug was introduced in version 7.0.0 of Bitbucket, and “all versions released after 6.10.17” are affected, so “all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability.”
Designated CVE-2022-36804, the issue is in multiple API endpoints of Bitbucket Server and Data Center.
“An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request”, the advisory explains.
Cloud sites hosted at bitbucket.org are not affected.
Twitter user @TheGrandPew, who discovered the bug and reported it through Atlassian’s bug bounty program, has promised proof-of-concept code in 30 days.
Support the originator by clicking the read the rest link below.
